CVE-2026-1104 is a critical authorization bypass vulnerability identified in the FastDup – Fastest WordPress Migration & Duplicator plugin, widely used for WordPress site migration and backup. The root cause is a missing capability check on REST API endpoints that handle backup creation and download requests. Specifically, the plugin fails to verify whether the authenticated user has sufficient privileges before allowing these sensitive operations. As a result, any authenticated user with Contributor-level permissions or higher can exploit this flaw to generate and download a complete backup archive of the WordPress site. This archive includes all website files, database exports, and configuration files, exposing sensitive credentials, site configurations, and potentially user data. The vulnerability affects all versions up to and including 2.7.1. The CVSS v3.1 base score is 8.8, indicating a high-severity issue with network attack vector, low attack complexity, and no user interaction required. The scope is unchanged but the impact on confidentiality, integrity, and availability is high because attackers can exfiltrate critical site data and potentially leverage it for further attacks. Although no public exploits have been observed, the vulnerability is straightforward to exploit for any authenticated user with minimal privileges. This makes it a significant risk for WordPress sites using this plugin, especially those with multiple contributors or editors. The vulnerability was publicly disclosed in February 2026, with no official patches available at the time of reporting, increasing urgency for mitigation.

The impact of CVE-2026-1104 is substantial for organizations running WordPress sites with the FastDup plugin installed. Attackers with Contributor-level access can bypass authorization controls to obtain full backups containing sensitive information such as database credentials, user data, and site configuration files. This can lead to complete site compromise, data breaches, and further lateral attacks such as privilege escalation or persistent backdoors. The integrity of the site can be undermined if attackers modify backups or configurations. Availability may also be affected if attackers delete or corrupt backups or site data. Organizations relying on this plugin for migration or backup are at risk of data exfiltration and operational disruption. The vulnerability is particularly dangerous in environments with multiple authenticated users or where Contributor roles are assigned liberally. The lack of known exploits in the wild does not reduce the risk, given the ease of exploitation and high impact. This vulnerability could also be leveraged in targeted attacks against high-value WordPress sites, including e-commerce, media, and government portals.

To mitigate CVE-2026-1104, organizations should immediately restrict Contributor-level and higher user roles from accessing the FastDup plugin’s backup and migration features until a patch is available. Implement custom capability checks or use WordPress hooks to enforce strict authorization on REST API endpoints related to backup creation and download. Monitor and audit user roles and permissions to ensure minimal privilege principles are enforced, limiting Contributor access where possible. Disable or uninstall the FastDup plugin if it is not essential. Regularly update the plugin as soon as the vendor releases a patch addressing this vulnerability. Additionally, implement web application firewalls (WAFs) with rules to detect and block suspicious REST API calls related to backup operations. Conduct thorough logging and alerting on backup creation and download activities to detect unauthorized attempts. Finally, educate site administrators about the risks of granting Contributor-level access and encourage strong authentication controls.